Managing security groups for data instances

ABSTRACT

Access level and security group information can be updated for a data instance without having to take down or recycle the instance. A data instance created in a data environment will have at least one default security group. Permissions can be applied to the default security group to limit access via the data environment. A control security group can be created in a control environment and associated with the default security group. Permissions can be applied and updated with respect to the control security group without modifying the default security group, such that the data instance does not need to be recycled or otherwise made unavailable. Requests to perform actions with respect to the control security groups are made via the control environment, while allowing native access to the data via the data environment.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.15/648,886, filed Jul. 10, 2017, which is a continuation of U.S. patentapplication Ser. No. 12/416,017, filed Mar. 31, 2009, now U.S. Pat. No.9,705,888, which is hereby incorporated by reference herein in itsentirety, and which is related to U.S. patent application Ser. No.12/415,958, entitled “Control Service and Relational Data Management,”filed Mar. 31, 2009, now U.S. Pat. No. 8,713,060, which are hereinincorporated by reference in their entirety.

COPYRIGHT NOTICE

A portion of the disclosure of this patent document contains materialthat is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure as it appears in the Patent and TrademarkOffice patent file or records, but otherwise reserves all copyrightrights whatsoever.

BACKGROUND

As an increasing number of applications and services are being madeavailable over networks such as the Internet, an increasing number ofcontent, application, and/or service providers are turning totechnologies such as cloud computing. Cloud computing, in general, is anapproach to providing access to electronic resources through services,such as Web services, where the hardware and/or software used to supportthose services is dynamically scalable to meet the needs of the servicesat any given time. A user or customer typically will rent, lease, orotherwise pay for access to resources through the cloud, and thus doesnot have to purchase and maintain the hardware and/or software toprovide access to these resources.

Customers often need to modify the set of users granted access to a datasource, such as where employees or other users are added, deleted, orobtain different access or responsibilities. In conventional systems,users and user access parameters are manually adjusted by a databaseadministrator (DBA) or other such user. The adjustment of the nativeusers of the data source typically affects the availability of the datasource for a period of time, as the data source must be taken down toadjust user information for the data source. Such a process is not onlytime consuming and expensive, but requires periodic outages of the datasource.

BRIEF DESCRIPTION OF THE DRAWINGS

Various embodiments in accordance with the present disclosure will bedescribed with reference to the drawings, in which:

FIG. 1 illustrates an environment in which various embodiments can beimplemented;

FIG. 2 illustrates an example separation of a control plane and a dataplane that can be used in accordance with various embodiments;

FIG. 3 illustrates an example process for performing an action inaccordance with one embodiment;

FIG. 4 illustrates an example process for associating a control securitygroup with a default security group that can be used in accordance withone embodiment;

FIG. 5 illustrates components that can be used to store security groupinformation in accordance with one embodiment; and

FIG. 6 illustrates an example interface for specifying security groupparameters that can be performed in accordance with one embodiment.

DETAILED DESCRIPTION

Systems and methods in accordance with various embodiments of thepresent disclosure may overcome one or more of the aforementioned andother deficiencies experienced in conventional approaches to managingaspects of data storage in an electronic environment. In particular,various embodiments provide a separate control environment, or controlplane, that can be used to monitor and/or control aspects of a dataenvironment, or data plane. The functionality of a control plane can beprovided as a set of Web services, for example, enabling the controlplane to act as a virtual database administrator (DBA). A user orcustomer can submit a request to the control plane through anexternally-visible application programming interface (API), for example,which can be analyzed to determine actions to be performed in the dataplane, such as actions that create, delete, modify, expand, or otherwisemodify a data store or data storage instance. State information can bepassed to a component of the data plane for each task necessary toperform the action, such that the control plane can manage theperformance of the tasks without having direct access into the datastores or other such components of the data plane. Once provisioned, auser can have native access to the data instance(s) in the data plane,and can simply point existing applications (such as MySQL applications)to the domain name system (DNS) name or other location information forthe particular data instance. There is no restriction or modification ofquery models or other such functionality, as a user can continue to useapplications built on MySQL, Oracle, or other such database technology.

Systems and methods in accordance with various embodiments takeadvantage of components of the control plane to manage access level andsecurity group information for a data instance without having to takedown or recycle the data instance in the data environment. A datainstance created in a data environment can have at least one defaultsecurity group generated. Using the control plane, permissions can beapplied to the default security group to limit access via the dataenvironment. At least one control security group can be created usingthe control plane, which can be associated with the default securitygroup. Permissions can be applied and updated with respect to thecontrol security group without modifying the default security group inthe data environment, such that the data instance does not need to berecycled or otherwise made unavailable. Requests to perform actions withrespect to the control security groups can be made via the controlplane, while allowing native access to the data via the dataenvironment.

FIG. 1 illustrates an example of an environment 100 for implementingaspects in accordance with various embodiments. As will be appreciated,although a Web-based environment is used for purposes of explanation,different environments may be used, as appropriate, to implement variousembodiments. The environment 100 shown includes both a testing ordevelopment portion (or side) and a production portion. The productionportion includes an electronic client device 102, which can include anyappropriate device operable to send and receive requests, messages, orinformation over an appropriate network 104 and convey information backto a user of the device. Examples of such client devices includepersonal computers, cell phones, handheld messaging devices, laptopcomputers, set-top boxes, personal data assistants, electronic bookreaders, and the like. The network can include any appropriate network,including an intranet, the Internet, a cellular network, a local areanetwork, or any other such network or combination thereof. Componentsused for such a system can depend at least in part upon the type ofnetwork and/or environment selected. Protocols and components forcommunicating via such a network are well known and will not bediscussed herein in detail. Communication over the network can beenabled by wired or wireless connections, and combinations thereof. Inthis example, the network includes the Internet, as the environmentincludes a Web server 106 for receiving requests and serving content inresponse thereto, although for other networks an alternative deviceserving a similar purpose could be used as would be apparent to one ofordinary skill in the art.

The illustrative environment includes at least one application server108 and a data store 110. It should be understood that there can beseveral application servers, layers, or other elements, processes, orcomponents, which may be chained or otherwise configured, which caninteract to perform tasks such as obtaining data from an appropriatedata store. As used herein the term “data store” refers to any device orcombination of devices capable of storing, accessing, and retrievingdata, which may include any combination and number of data servers,databases, data storage devices, and data storage media, in anystandard, distributed, or clustered environment. The application servercan include any appropriate hardware and software for integrating withthe data store as needed to execute aspects of one or more applicationsfor the client device, handling a majority of the data access andbusiness logic for an application. The application server providesaccess control services in cooperation with the data store, and is ableto generate content such as text, graphics, audio, and/or video to betransferred to the user, which may be served to the user by the Webserver in the form of HTML, XML, or another appropriate structuredlanguage in this example. The handling of all requests and responses, aswell as the delivery of content between the client device 102 and theapplication server 108, can be handled by the Web server. It should beunderstood that the Web and application servers are not required and aremerely example components, as structured code discussed herein can beexecuted on any appropriate device or host machine as discussedelsewhere herein. Further, the environment can be architected in such away that a test automation framework can be provided as a service towhich a user or application can subscribe. A test automation frameworkcan be provided as an implementation of any of the various testingpatterns discussed herein, although various other implementations can beused as well, as discussed or suggested herein.

The environment also includes a development and/or testing side, whichincludes a user device 118 allowing a user such as a developer, dataadministrator, or tester to access the system. The user device 118 canbe any appropriate device or machine, such as is described above withrespect to the client device 102. The environment also includes adevelopment server 120, which functions similar to the applicationserver 108 but typically runs code during development and testing beforethe code is deployed and executed on the production side and isaccessible to outside users, for example. In some embodiments, anapplication server can function as a development server, and separateproduction and testing storage may not be used.

The data store 110 can include several separate data tables, databases,or other data storage mechanisms and media for storing data relating toa particular aspect. For example, the data store illustrated includesmechanisms for storing production data 112 and user information 116,which can be used to serve content for the production side. The datastore also is shown to include a mechanism for storing testing data 114,which can be used with the user information for the testing side. Itshould be understood that there can be many other aspects that may needto be stored in the data store, such as for page image information andaccess right information, which can be stored in any of the above listedmechanisms as appropriate or in additional mechanisms in the data store110. The data store 110 is operable, through logic associated therewith,to receive instructions from the application server 108 or developmentserver 120, and obtain, update, or otherwise process data in responsethereto. In one example, a user might submit a search request for acertain type of item. In this case, the data store might access the userinformation to verify the identity of the user, and can access thecatalog detail information to obtain information about items of thattype. The information then can be returned to the user, such as in aresults listing on a Web page that the user is able to view via abrowser on the user device 102. Information for a particular item ofinterest can be viewed in a dedicated page or window of the browser.

Each server typically will include an operating system that providesexecutable program instructions for the general administration andoperation of that server, and typically will include a computer-readablemedium storing instructions that, when executed by a processor of theserver, allow the server to perform its intended functions. Suitableimplementations for the operating system and general functionality ofthe servers are known or commercially available, and are readilyimplemented by persons having ordinary skill in the art, particularly inlight of the disclosure herein.

The environment in one embodiment is a distributed computing environmentutilizing several computer systems and components that areinterconnected via communication links, using one or more computernetworks or direct connections. However, it will be appreciated by thoseof ordinary skill in the art that such a system could operate equallywell in a system having fewer or a greater number of components than areillustrated in FIG. 1. Thus, the depiction of the system 100 in FIG. 1should be taken as being illustrative in nature, and not limiting to thescope of the disclosure.

An environment such as that illustrated in FIG. 1 can be useful for aprovider such as an electronic marketplace, wherein multiple hosts mightbe used to perform tasks such as serving content, authenticating users,performing payment transactions, or performing any of a number of othersuch tasks. Some of these hosts may be configured to offer the samefunctionality, while other servers might be configured to perform atleast some different functions. The electronic environment in such casesmight include additional components and/or other arrangements, such asthose illustrated in the configuration 200 of FIG. 2, discussed indetail below.

Systems and methods in accordance with one embodiment provide arelational database service (“RDS”) that enables developers, customers,or other authorized users to easily and cost-effectively obtain andconfigure relational databases so that users can perform tasks such asstoring, processing, and querying relational data sets in a cloud. Whilethis example is discussed with respect to the Internet, Web services,and Internet-based technology, it should be understood that aspects ofthe various embodiments can be used with any appropriate servicesavailable or offered over a network in an electronic environment.Further, while the service is referred to herein as a “relationaldatabase service,” it should be understood that such a service can beused with any appropriate type of data repository or data storage in anelectronic environment. An RDS in this example includes at least one Webservice that enables users or customers to easily manage relational datasets without worrying about the administrative complexities ofdeployment, upgrades, patch management, backups, replication, failover,capacity management, scaling, and other such aspects of data management.Developers are thus freed to develop sophisticated cloud applicationswithout worrying about the complexities of managing the databaseinfrastructure.

An RDS in one embodiment provides a separate “control plane” thatincludes components (e.g., hardware and software) useful for managingaspects of the data storage. In one embodiment, a set of data managementapplication programming interfaces (APIs) or other such interfaces areprovided that allow a user or customer to make calls into the RDS toperform certain tasks relating to the data storage. The user still canuse the direct interfaces or APIs to communicate with the datarepositories, however, and can use the RDS-specific APIs of the controlplane only when necessary to manage the data storage or perform asimilar task.

FIG. 2 illustrates an example of an RDS implementation 200 that can beused in accordance with one embodiment. In this example, a computingdevice 202 for an end user is shown to be able to make calls through anetwork 206 into a control plane 208 to perform a task such as toprovision a data repository of the data plane 210. The user or anapplication 204 can access the provisioned repository directly throughan interface of a data plane 210. While an end user computing device andapplication are used for purposes of explanation, it should beunderstood that any appropriate user, application, service, device,component, or resource can access the interface(s) of the control planeand/or data plane as appropriate in the various embodiments. Further,while the components are separated into control and data “planes,” itshould be understood that this can refer to an actual or virtualseparation of at least some resources (e.g., hardware and/or software)used to provide the respective functionality.

The control plane 208 in this example is essentially a virtual layer ofhardware and software components that handles control and managementactions, such as provisioning, scaling, replication, etc. The controlplane in this embodiment includes a Web services layer 212, or tier,which can include at least one Web server, for example, along withcomputer-executable software, application servers, or other suchcomponents. The Web services layer also can include a set of APIs 232(or other such interfaces) for receiving Web services calls or requestsfrom across the network 206, which the Web services layer can parse orotherwise analyze to determine the steps or actions needed to act on orprocess the call. For example, a Web service call might be received thatincludes a request to create a data repository. In this example, the Webservices layer can parse the request to determine the type of datarepository to be created, the storage volume requested, the type ofhardware requested (if any), or other such aspects. Information for therequest can be written to an administration (“Admin”) data store 222, orother appropriate storage location or job queue, for subsequentprocessing.

A Web service layer in one embodiment includes a scalable set ofcustomer-facing servers that can provide the various control plane APIsand return the appropriate responses based on the API specifications.The Web service layer also can include at least one API service layerthat in one embodiment consists of stateless, replicated servers whichprocess the customer APIs. The Web service layer can be responsible forWeb service front end features such as authenticating customers based oncredentials, authorizing the customer, throttling customer requests tothe API servers, validating user input, and marshalling or unmarshallingrequests and responses. The API layer also can be responsible forreading and writing database configuration data to/from theadministration data store, in response to the API calls. In manyembodiments, the Web services layer will be the only externally visiblecomponent, or the only component that is visible to, and accessible by,customers of the control service. The servers of the Web services layercan be stateless and scaled horizontally as known in the art. APIservers, as well as the persistent data store, can be spread acrossmultiple data centers in a region, for example, such that the serversare resilient to single data center failures.

The control plane in this embodiment includes what is referred to hereinas a “sweeper” component 214. A sweeper component can be any appropriatecomponent operable to poll various components of the control plane orotherwise determine any tasks to be executed in response to anoutstanding request. In this example, the Web services layer might placeinstructions or information for the “create database” request in theadmin data store 222, or a similar job queue, and the sweeper canperiodically check the admin data store for outstanding jobs. Variousother approaches can be used as would be apparent to one of ordinaryskill in the art, such as the Web services layer sending a notificationto a sweeper that a job exists. The sweeper component can pick up the“create database” request, and using information for the request cansend a request, call, or other such command to a workflow component 216operable to instantiate at least one workflow for the request. Theworkflow in one embodiment is generated and maintained using a workflowservice as is discussed elsewhere herein. A workflow in general is asequence of tasks that should be executed to perform a specific job. Theworkflow is not the actual work, but an abstraction of the work thatcontrols the flow of information and execution of the work. A workflowalso can be thought of as a state machine, which can manage and returnthe state of a process at any time during execution. A workflowcomponent (or system of components) in one embodiment is operable tomanage and/or perform the hosting and executing of workflows for taskssuch as: repository creation, modification, and deletion; recovery andbackup; security group creation, deletion, and modification; usercredentials management; and key rotation and credential management. Suchworkflows can be implemented on top of a workflow service, as discussedelsewhere herein. The workflow component also can manage differencesbetween workflow steps used for different database engines, such asMySQL, as the underlying workflow service does not necessarily change.

In this example, a workflow can be instantiated using a workflowtemplate for creating a database and applying information extracted fromthe original request. For example, if the request is for a MySQL®Relational Database Management System (RDBMS) instance, as opposed to anOracle® RDBMS or other such instance, then a specific task will be addedto the workflow that is directed toward MySQL instances. The workflowcomponent also can select specific tasks related to the amount ofstorage requested, any specific hardware requirements, or other suchtasks. These tasks can be added to the workflow in an order of executionuseful for the overall job. While some tasks can be performed inparallel, other tasks rely on previous tasks to be completed first. Theworkflow component or service can include this information in theworkflow, and the tasks can be executed and information passed asneeded.

An example “create database” workflow for a customer might includestasks such as provisioning a data store instance, allocating a volume ofoff-instance persistent storage, attaching the persistent storage volumeto the data store instance, then allocating and attaching a DNS (DomainName System) address or other address, port, interface, or identifierwhich the customer can use to access or otherwise connect to the datainstance. In this example, a user is provided with the DNS address and aport address to be used to access the instance. The workflow also caninclude tasks to download and install any binaries or other informationused for the specific data storage technology (e.g., MySQL). Theworkflow component can manage the execution of these and any relatedtasks, or any other appropriate combination of such tasks, and cangenerate a response to the request indicating the creation of a“database” in response to the “create database” request, which actuallycorresponds to a data store instance in the data plane 210, and providethe DNS address to be used to access the instance. A user then canaccess the data store instance directly using the DNS address and port,without having to access or go through the control plane 208. Variousother workflow templates can be used to perform similar jobs, such asdeleting, creating, or modifying one of more data store instances, suchas to increase storage. In some embodiments, the workflow information iswritten to storage, and at least one separate execution component (notshown) pulls or otherwise accesses or receives tasks to be executedbased upon the workflow information. For example, there might be adedicated provisioning component that executes provisioning tasks, andthis component might not be called by the workflow component, but canmonitor a task queue or can receive information for a provisioning taskin any of a number of related ways as should be apparent.

As mentioned, various embodiments can take advantage of a workflowservice that can receive requests or calls for a current state of aprocess or task, such as the provisioning of a repository, and canreturn the current state of the process. The workflow component and/orworkflow service do not make the actual calls or requests to performeach task, but instead manage the state and configuration informationfor the workflow that enables the components of the control plane todetermine the next task to be performed, and any information needed forthat task, then generate the appropriate call(s) into the data planeincluding that state information, whereby a component of the data planecan make the call to perform the task. Workflows and tasks can bescheduled in parallel in order to increase throughput and maximizeprocessing resources. As discussed, the actual performing of the taskswill occur in the data plane, but the tasks will originate from thecontrol plane. For example, the workflow component can communicate witha host manager, which can make calls into the data store. Thus, for agiven task a call could be made to the workflow service passing certainparameters, whereby the workflow service generates the sequence of tasksfor the workflow and provides the current state, such that a task forthe present state can be performed. After the task is performed (orotherwise resolved or concluded), a component such as the host managercan reply to the service, which can then provide information about thenext state in the workflow, such that the next task can be performed.Each time one of the tasks for the workflow is performed, the servicecan provide a new task to be performed until the workflow is completed.Further, multiple threads can be running in parallel for differentworkflows to accelerate the processing of the workflow.

The control plane 208 in this embodiment also includes at least onemonitoring component 218. When a data instance is created in the dataplane, information for the instance can be written to a data store inthe control plane, such as a monitoring data store 220. It should beunderstood that the monitoring data store can be a separate data store,or can be a portion of another data store such as a distinct set oftables in an Admin data store 222, or other appropriate repository. Amonitoring component can access the information in the monitoring datastore to determine active instances 234 in the data plane 210. Amonitoring component also can perform other tasks, such as collectinglog and/or event information from multiple components of the controlplane and/or data plane, such as the Web service layer, workflowcomponent, sweeper component, and various host managers. Using suchevent information, the monitoring component can expose customer-visibleevents, for purposes such as implementing customer-facing APIs. Amonitoring component can constantly monitor the health of all therunning repositories and/or instances for the control plane, detect thefailure of any of these instances, and initiate the appropriate recoveryprocess(es).

Each instance 234 in the data plane can include at least one data store226 and a host manager component 228 for the machine providing access tothe data store. A host manager in one embodiment is an application orsoftware agent executing on an instance and/or application server, suchas a Tomcat or Java application server, programmed to manage tasks suchas software deployment and data store operations, as well as monitoringa state of the data store and/or the respective instance. A host managerin one embodiment listens on a port that can only be reached from theinternal system components, and is not available to customers or otheroutside entities. In some embodiments, the host manager cannot initiateany calls into the control plane layer. A host manager can beresponsible for managing and/or performing tasks such as setting up theinstances for a new repository, including setting up logical volumes andfile systems, installing database binaries and seeds, and starting orstopping the repository. A host manager can monitor the health of thedata store, as well as monitoring the data store for error conditionssuch as I/O errors or data storage errors, and can restart the datastore if necessary. A host manager also perform and/or mange theinstallation of software patches and upgrades for the data store and/oroperating system. A host manger also can collect relevant metrics, suchas may relate to CPU, memory, and I/O usage.

The monitoring component can communicate periodically with each hostmanager 228 for monitored instances 234, such as by sending a specificrequest or by monitoring heartbeats from the host managers, to determinea status of each host. In one embodiment, the monitoring componentincludes a set of event processors (or monitoring servers) configured toissue commands to each host manager, such as to get the status of aparticular host and/or instance. If a response is not received after aspecified number of retries, then the monitoring component can determinethat there is a problem and can store information in the Admin datastore 222 or another such job queue to perform an action for theinstance, such as to verify the problem and re-provision the instance ifnecessary. The sweeper can access this information and kick off arecovery workflow for the instance to attempt to automatically recoverfrom the failure. The host manager 228 can act as a proxy for themonitoring and other components of the control plane, performing tasksfor the instances on behalf of the control plane components.Occasionally, a problem will occur with one of the instances, such asthe corresponding host, instance, or volume crashing, rebooting,restarting, etc., which cannot be solved automatically. In oneembodiment, there is a logging component (not shown) that can log theseand other customer visibility events. The logging component can includean API or other such interface such that if an instance is unavailablefor a period of time, a customer can call an appropriate “events” orsimilar API to get the information regarding the event. In some cases, arequest may be left pending when an instance fails. Since the controlplane in this embodiment is separate from the data plane, the controlplane never receives the data request and thus cannot queue the requestfor subsequent submission (although in some embodiments this informationcould be forwarded to the control plane). Thus, the control plane inthis embodiment provides information to the user regarding the failureso the user can handle the request as necessary.

As discussed, once an instance is provisioned and a user is providedwith a DNS address or other address or location, the user can sendrequests “directly” to the data plane 210 through the network using aJava Database Connectivity (JDBC) or other such client to directlyinteract with that instance 234. In one embodiment, the data plane takesthe form of (or at least includes or is part of) a computing cloudenvironment, or a set of Web services and resources that provides datastorage and access across a “cloud” or dynamic network of hardwareand/or software components. A DNS address is beneficial in such adynamic cloud environment, as instance or availability failures, forexample, can be masked by programmatically remapping a DNS address toany appropriate replacement instance for a use. A request received froma user 202 or application 204, for example, can be directed to a networkaddress translation (NAT) router 224, or other appropriate component,which can direct the request to the actual instance 234 or hostcorresponding to the DNS of the request. As discussed, such an approachallows for instances to be dynamically moved, updated, replicated, etc.,without requiring the user or application to change the DNS or otheraddress used to access the instance. As discussed, each instance 234 caninclude a host manager 228 and a data store 226, and can have at leastone backup instance or copy in persistent storage 230. Using such anapproach, once the instance has been configured through the controlplane, a user, application, service, or component can interact with theinstance directly through requests to the data plane, without having toaccess the control plane 232. For example, the user can directly issuestructured query language (SQL) or other such commands relating to thedata in the instance through the DNS address. The user would only haveto access the control plane if the user wants to perform a task such asexpanding the storage capacity of an instance. In at least oneembodiment, the functionality of the control plane 208 can be offered asat least one service by a provider that may or may not be related to aprovider of the data plane 210, but may simply be a third-party servicethat can be used to provision and manage data instances in the dataplane, and can also monitor and ensure availability of those instancesin a separate data plane 210.

FIG. 3 illustrates an example process 300 for performing an action andnotifying the customer, in accordance with one embodiment. Usingcomponents and/or processes such as those discussed above, a determinedaction with respect to the data environment is authorized to beperformed 302. As discussed, this can take the form of the monitoringcomponent automatically requesting an action to be performed or acustomer authorizing the performance of an action, while in otherembodiments a customer could instead submit a request via anexternally-facing API of the Web services layer, which can parse therequest to determine the action(s) being requested. In this embodiment,information for the action, such as the type of action and parameters tobe used to perform the action, is written to a job queue 304, such asmay be located in an Admin data store or other such storage location.The job queue can be monitored, such as by a sweeper component, todetermine the presence of job information 306 and, when job informationis detected, a request can be sent to initiate a workflow for therequested action 308. This can include a request sent by the sweepercomponent to a workflow component and/or service to instantiate aworkflow. In other embodiments, a workflow component might monitor thejob queue for jobs, or a component of the Web services layer may sendthe job information directly to a workflow component.

Upon receiving the job information, the information is analyzed todetermine and/or assemble an appropriate workflow for the requestedaction 310. As discussed, different tasks can be selected for theworkflow based upon factors such as the type of action requested and thetype of database engine being used. Beginning with the first task of theworkflow, state information is sent to a host manager in the dataenvironment operable to use the state information to determine a task tobe performed, perform the task with respect to a data repository and/ordata instance, and return a response upon completion of the task 312.Upon receiving the response, the workflow component determines whetherthere is another task to be performed 314. If so, state information forthe next task is sent to the host manager, and upon completion of thattask the host manager sends a response to the workflow component. Afterthe final task has been completed, a message is sent to the requestingcustomer (or another appropriate user, application, or location) thatthe requested action has been completed 316. After the action has beenperformed, the customer is able to directly access the data instanceupon which the action was performed using a data interface of the dataenvironment, without accessing or passing through the control plane 318.As mentioned, the user can be provided with a DNS name and port number,for example, such that if the action resulted in movement of data oranother similar action, the customer or an application can continue touse the same DNS name, which will be directed to the appropriatelocation in the data plane.

As discussed, one advantage to the use of a control plane is that thecontrol plane can function as a virtual database administrator (DBA) andavoid the need for a human DBA to perform tasks such as monitoringperformance data and performing trending or other such analysis. Acontrol plane can also perform functions such as automaticallyperforming scaling, recovery, or other such actions in the event of anactual or predicted need for action. Conventional approaches relying ona DBA to perform actions such as monitoring, analysis, cloning, andrecovery are expensive and time-consuming, and can result in significantunavailability of customer data during the recovery and/or cloningprocesses.

A control plane can be used to perform tasks such as managing securityand access groups for data stores, data instances, and other suchaspects of a data plane or other such environment. A control plane can,in conjunction with the data plane, ensure that requests to performcertain actions in the data plane occur via the control plane. Thus, thecontrol plane can manage user groups and control access for those taskswithout modifying the default or native user information of the dataenvironment. Such an approach enables access groups to be added,modified, or deleted without requiring an outage or other suchunavailability of the corresponding data instance.

FIG. 4 illustrates an example process 400 for setting up a data storewith control plane-based user management in accordance with oneembodiment. In this example, a request is received from a customer (orother such user) requesting the creation of a data instance using a“create database” or similar call as discussed above 402. A workflow isgenerated and kicked off that includes tasks for creating the datainstance 404. As part of the creation of the data instance, at least onedefault (or “native” from a data environment point of view) securityuser or security group is created in the data environment for the datainstance. As part of the workflow, permissions can be applied to thedefault security group 406. Native access to the data instance throughan API or other interface of the data plane can be restricted 408, suchas by modifying or adding permission rules for the default securitygroup. As part of the creation workflow, a separate workflow or process,and/or in response to a separate request, at least one RDS securitygroup can be created for the data instance via the control environment410. Each RDS security group for the data instance can be associatedwith the native control group in the data environment 412. Permissionscan be set for each RDS security group 414, such as may include “readonly” or “read and write” access. Once the data instance is created,customers or other authorized users are enabled to access the datainstance according to permissions set in the appropriate RDS securitygroup 416. Due to the restrictions on access through the data interface,a customer can be forced to call into the control environment to set oradjust access levels and/or permissions for users or groups of users.

FIG. 5 illustrates an example configuration 500 that can be used tostore security group information in accordance with one embodiment.Reference numbers are carried over between figures for purposes ofsimplicity and explanation, but such use should not be construed asshowing only a single embodiment or otherwise limiting the scope of thevarious embodiments. Further, only certain components are shown in eachfigure, but it should be understood that other, additional, oralternative components can be used as discussed and suggested herein. Asillustrated, a data instance in the data environment includes a hostmanager and a data store, with information for the data store beingstored to a native user data store 502. While shown as a separate datastore, it should be understood that the native user data can be storedas part of another data store inside or outside the instance. When anRDS user group is associated with the native security group in the dataenvironment, RDS user group information is created that can be stored ina data store 504 in the control environment 506 and/or a data store 508in the data environment 510. Storing the RDS user group data in the dataplane can allow users to access the data directly through an API orother interface of the data plane (assuming the users have suchpermission) without accessing the control plane. Storing the RDS usergroup data in the control environment allows the control plane toquickly access the information when required for a customer action, andenables the control plane to recover the groups more quickly in theevent of a failure of the data environment. Other advantages can beobtained through storing the information in either or both locations.

As discussed, certain functionality can be disabled via the data plane.Customers can be restricted from modifying users through the data plane,and instead can utilize at least one API or interface of the controlplane to make such changes. Even a “super user” created uponprovisioning of a data instance cannot modify security user groupinformation through the data plane in various embodiments. In oneembodiment, separate APIs are provided for adding users, deleting users,modifying user information, and managing RDS security groups. Certainfunctionality can still be restricted, however. For example, customersmay not be granted lower level access that allows the customers torequest operations such as shutting down an instance in the data plane.APIs also can be provided that allow customers to obtain statistics orother data from a monitoring data store or other such location, relatingto aspects such as identities of users accessing the data, types ofaccess, etc.

A default or “super” user can typically perform low-level actions in thedata environment such as changing schema or attributes of a data store,adding or deleting tables or rows, or other such actions. A customermight wish to add user groups with other levels of access, such asread-only access or access to specific tables. Various other levels ofaccess can be granted as known in the art. In this example, however,calls to adjust users, users groups, data access, or other suchfunctionality must be submitted through the control plane, such that theRDS user or security group information can be adjusted in the controlenvironment. Since the RDS user information is tied to a native usergroup that does not change in the data environment, the changes do notrequire an outage of the data store or data instance.

In some embodiments, several data volumes in the data environment mightmake up a logical volume group associated with a data instance. Nativepermissions such as the ability to access, read, or write data to thedata volumes can be handled through the control plane. The users canaccess the data instance independent of any knowledge of the underlyingdata volumes. The users are not given access to modify these nativepermissions through the data plane, but instead pass through an API orother interface of the control plane providing an identifier for thedata instance.

When a data instance is created, customers can specify one or moresecurity groups to restrict network access to the data instance.Customers can authorize access to the data instance by adding permissionrules to the security group that are applied to the database via anAuthorizeDBSecurityGroupIngress or similar API. Customers can also addor remove security groups from a data instance at any time using aModifyDatabase or similar API. Customers can create (or delete) securitygroups using a CreateDBSecurityGroup (or DeleteDBSecurityGroup) API.

As part of the CreateDatabase API, customers can supply a username andpassword for a special database user referred to herein as “DatabaseOwner.” Database Owner is a special type of user who owns the dataschema objects. Customers are not allowed to manage users directly in aprovisioned data store, so this functionality is provided in oneembodiment through three additional APIs. After creation of a datainstance, a customer can add more users to the database using aCreateDatabaseUser API, remove users using a DeleteDatabaseUser API, andlist the users using a DescribeDatabaseUsers API.

In one example, a customer can have a self-managed “Customer” MySQLdatabase that the customer wants to move to an RDS environment. Thecurrent “Customer” database has a 60 GB capacity, running with peakconcurrent processes less than 50 and having storage growth estimatesaround 10% per month. Based on these initial capacity requirements, thecustomer selects an instance to be provisioned with an initial capacityof 80 GB. The customer chooses a master user and master user password,and based on firewall requirements chooses an appropriate port number(e.g., 9030) on which the data instance will be listening.

The customer, if not already signed up or subscribed to the controlservice, can sign up for the service. In some embodiments, the user willreceive software or will access an interface page through the Internet,for example, that will allow a user to submit requests to the controlplane or service. In other embodiments, a user can manually (orotherwise) create and submit Web service calls to the control plane. Inthe following example, the customer generates a request to create a newdata repository using a command line tool. A request can take the formof, for example:

rds-create-database --identifier customerprod --dbname customer - -size80 -class small --engine mysqI5.1 --master master_username --passwordmaster_password --port 4030

When the customer executes a “create database” call using the API orcommand line tool, components of the Web service tier can prepare thecontrol plane for provisioning. The Web service can authenticate andauthorize the customer, validate request parameters, and create a recordin the Admin data store for the customer data instance. The lifecycle inthe record can be marked as “Creating,” for example, which can bechanged to a state such as “Pending” to prepare the creation job forpickup by a workflow sweeper or other such component.

With completion of the initial activity by the Web service tier, thedata instance is ready to be provisioned. A sweeper can periodicallypoll the Admin data store for work to complete. A database record with achange state of “Pending” can cause the sweeper to launch a“CreateDatabase” or similar workflow instance. An initial action of theworkflow can be to update the change state of the data instance to astate such as “Applying” so that other sweepers are aware the change isin progress and do not attempt to launch another workflow.

In one embodiment, the workflow takes the initial steps to provision theresources that will makeup the data instance. The tasks of such aworkflow can include the creation of the instance in the dataenvironment, with allocation of a DNS name and/or port allowing users toaccess the instance. Other tasks can allocate and attach the datavolumes to be used for the data instance. Data volumes can be requestedbased on configuration information specifying aspects such as a maximumsize of an individual volume, and the desired minimum number of datavolumes. Multiple volumes are provisioned in at least one embodimentbecause a single volume can provide a limited number of input/output persecond (IOPS) operations, which can be increased by provisioningmultiple data volumes and striping or otherwise allocating the datainstance across the data volumes.

An RDS security group can provide functionality that acts as a firewallor other barrier protecting a data store or data instance in the dataenvironment. An RDS security group enables a customer to define aspectssuch as which IP (Internet protocol) range and/or instances cancommunicate with a data store. The RDS security group permissions can beimplemented using the respective security group for each data store.

For example, a customer can apply two RDS security groups to a datainstance (i.e., with a database identifier such as “mydbid”) where afirst RDS security group allows access from a classless inter-domainrouting (CIDR) range “x.y.z.0” and a second RDS security group allowsaccess from data instances associated with a first database securitygroup, SecGroup1. In this example, a new security group (e.g.,mydbidSecGroup) for the data store mydbid with permissions to allowaccess only from “x.y.z.0,” and allow access from data instances withsecurity group SecGroup1. The group mydbidSecGroup can be applied to theinstance that hosts the data store. By using a new native security groupfor each data store, changes can be made to the first security groupwithout restarting the data instance. Each data instance (provisioned byRDS) also can be a member of a default security group.

Once each of the core resources becomes available, the workflow canprepare the data instance with the necessary components. The datavolumes can be attached to the instance, and files for the host managercan be loaded and verified. Once verified, the host manager applicationcan be deployed and executed. In one embodiment, a Tomcat manager forthe instance is requested to deploy and install a Host Manager WAR file,then start the host manager application. Once the host manager isrunning, the data instance has the functionality needed to install thedatabase engine (e.g., MySQL, Oracle RDBMS, etc.) and setup the customerdata store. The workflow can now communicate with the host manager, andpass information that causes the host manager to mount the data volumesand prepare the file system. A file system may need to be built for atleast three roles: binary, logs, and data. To do this, the control planein one embodiment sends a storage configuration file (i.e., an XML file)which provides the information to the host manager on the mount pointsand volumes to be used for each role. Using this information, the hostmanager can create the physical devices, such as by using a pvcreate orsimilar process, for all volumes provisioned for a given role. The hostmanager then can create a logical volume that stripes the data acrossthese devices for each role.

A public signing key can be installed to the host manager, and thedatabase engine can be downloaded and installed. A Tomcat server on thedata instance can download and verify the signed package manager,followed by an unpack, installation, and launch of the package. A blankdata store can be installed to be used as the basis of the customer datastore, enabling permissions and tables used for management to be easilyapplied. The customer data store can be created and the root passwordfor the data store changed. The master user also can be created asspecified in the customer request.

The customer can have the ability to check on the provisioning status,and can request a connect string using the command line tool to describethe repository, such as by submitting:

describe-repositories customerprod

The customer can grant access to the default security group, such asfrom the address range 205.192.0.0/16 by:

authorize default -s 205.192.0.0/16

The customer also can check on the status of security changes, such asby submitting:

describe-group default

A “DescribeDatabases” or similar API can be used to determine the statusof the request. While provisioning is still in progress, the status willshow as “Pending Creation,” for example, and can be changed to a statesuch as “Created” once the provisioning has been completed. At thispoint, the customer can have all the information necessary forconnecting to the repository.

Once the provisioning process is completed, the instance is running andthe customer data store can be exposed for customer use. As a final taskof the workflow, a record in the Admin data store can be updated for thecustomer data store, such as to mark the lifecycle as “Available” andmark the change state as “none”.

In this example, the customer also wants to implement data securitythrough role-based access control. Before turning on the provisioned andloaded data instance and making the instance available, the customerwants to implement role-based access control such that a developmentteam will have read/write access to the repository but business analystswill only obtain read access. The client also wants “master user” accesslimited to handful of senior users, so the remaining developers need adifferent database user role.

With respect to the control plane, the customer can submit a request tocreate a new database user or user group using the command line tool,for example, such as by submitting the following:

create-user --identifier customerprod --username develop1 --  passworddevelop1 create-user --identifier customerprod --username analyst1-- password analyst1The customer can also check on provisioning status for the request, suchas by submitting:

describe-users customerprod

While provisioning is still in progress, the status can show a statesuch as “Pending Creation,” and the status will be changed to a statesuch as “Created” once the provisioning has been completed. The customercan now perform necessary tasks for securing the users in the dataplane.

The customer can, with respect to the data plane, perform an action suchas granting read/write privileges to a develop1 user for all tablesowned by master_username, such as by submitting through an API of thecontrol plane:

$ mysql-u master_username -h end_point_hostname --port 4030 -p   master1Mysql>grant select, insert, update, delete on master_username.*   to‘develop1’@‘%’;The customer can also grant read privileges to an analyst1 user for alltables owned by master_username:

$ mysql-u master_username -h end_point_hostname --port 4030 -p   master1Mysql>grant select on master_username.*to‘analyst1’@‘%’;

When the customer makes a request to describe users to the API orcommand line tool, the Web service tier can immediately fulfill therequest by querying the Admin data store for configured permissions ifthe user name is specified. If the user name is not specified, the Admindata store can be queried for all users on the data store. The Webservice tier also can perform tasks such as formatting the dataaccording to the API specification, and responding to the customerrequest.

Alternatively, a customer can be provided with an application and/orinterface that allows the customer to specify parameters, groups, andother such information, and will generate the appropriate calls into theAPIs of the control plane. For example, FIG. 6 illustrates an example ofan interface page 600 that can be used to apply or update security groupinformation in accordance with one embodiment. In this example, acustomer can specify a customer group or customer identifier 602, orother such identifier, which can correspond to a particular data storeor data instance for which security settings are to be reviewed and/orupdated. The customer also can be provided with user-selectable elements604 enabling the customer to specify, add, or delete RDS securitygroups, as well as to adjust parameters for each group, such as accesspasswords and access levels. A customer also can see and/or update astatus of a security group. In this example, it can be seen that a firstsecurity group “Developer1” has “read and write” access to the datainstance, while “Analyst1” has “read only” access. Both groups areactive. If a customer wants to update this information, the customerupdates the appropriate fields or other element(s), which causes anappropriate request to be submitted to an interface of the controlplane.

When the customer requests a new data store user via the API or commandline tool, the control plane can manage the creation. A state of thedata store is validated to ensure that the state allows for the creationof a user (e.g., not in a “Creating” or “Deleting” state). A record canbe created for the user in the Admin data store with a “Creating”lifestyle and “Pending” change state. A sweeper polling the Admin datastore will locate the user record with a change state of “Pending,” anda lifecycle of “Creating” causes the sweeper to launch a workflowinstance that satisfies the request. A first action is to update thechange state to “Applying” or a similar state so that other sweepers areaware work is underway. The workflow can cause the user to be createdfor the data instance by requesting that the host manager create theuser and updating the Admin data store user record to an “Available”lifestyle with a change state of “none”.

There can be a number of other actions performed via the control planerelating to users and security groups. For example, a ResetUserPasswordor similar API can be exposed via the Web service layer to allow usersto change forgotten passwords. When a customer requests a database userpassword reset, the Web service layer can validate that the lifecycleallows such user operations (e.g., not in a “Creating” or “Deleting”state), and validate that the user lifecycle allows a password reset(e.g., set to “Available”). The record for the user can be updated inthe Admin data store with a lifecycle of “Reset Password” and a changestate of “Pending”. A sweeper discovering such a record can launch aworkflow that updates the change state to “Applying,” and requests thatthe host manager modify the user password. The workflow then can updatethe record in the Admin data store to a lifecycle of “Available” and achange state of “None,” and can notify the customer.

When the customer requests to delete a user, the Web service layer canvalidate that the lifecycle allows such user operations (e.g., not in a“Creating” or “Deleting” state), and validate that the user lifecycleallows a password reset (e.g., set to “Available”). The record for theuser can be updated in the Admin data store with a lifecycle of“Deleting” and a change state of “Pending”. A sweeper discovering such arecord can launch a workflow that deletes the user by updating thechange state to “Applying,” and requesting that the host manager deletethe user and disconnect any current connections. The workflow then candelete the record for the user in the Admin data store, and can notifythe customer.

The customer can request a list of security groups for a data store ordata instance, wherein if the security group name is specified, theAdmin data store is queried for configured permissions of this group. Ifthe security group name is not specified, the Admin data store can bequeried for all security groups for the customer, or as according to anyother parameter specified by the request.

If the customer requests a new RDS security group, a record can becreated for the security group in the Admin data store with a status of“Active.” If the customer requests to delete an existing RDS securitygroup, the control plane can validate that no data stores or datainstances are members of the security group, and removes the record forthe security group in the Admin data store.

If the customer requests to add a new native security group in the dataenvironment or modify an IP range for an existing native security group,the control plane can validate that the native security group state is“Active” and can add a new entry for the access rule in the Admin datastore with a lifecycle of “Creating” and a change state of “Pending.” Asweeper can pick up such a record and launch a workflow to authorize anew security group, and updates the change state to “Applying.” Aworkflow can be launched with tasks for all data stores and/or datainstances that are a member of the modified security group. For eachaffected member, the native security group permissions can berecomputed. When completed, the record for the security group in theAdmin data store can be updated to a lifecycle of “Active” and a changestate of “None.”

If the customer requests removal of a native security group or reductionof an IP range for an existing native security group, the control planecan validate that the native security group state is “Active” and canupdate the record for the access rule in the Admin data store with alifecycle of “Deleting” and a change state of “Pending.” A workflow canbe launched with tasks for all data stores and/or data instances thatare a member of the modified security group.

As discussed previously, the use of a control plane or service inaccordance with various embodiments does not restrict the type of SQLqueries that a customer can run, and does not impose any restrictionsrelating to construction of a schema, such as to be partition ready andnot allow queries spanning partitions. Instead, a repository such as arelational database can be provisioned in a computing “cloud” withoutrestricting the users' schema or queries. As commonly known, even thoughthere is a theoretical SQL standard, the SQL quirks, syntaxes and theirbehaviors (e.g., NULL handling) vary across different relationaldatabase engines (e.g., MySQL, Oracle, or Postgres). For at least thesereasons, users may wish to choose a relational database engine that isfamiliar for purposes of programming and operations. Such an approachallows customers to use the same set of database tools that thecustomers have used previously for tasks such as data modeling,development, and debugging, even when the customers migrate their datastores to the cloud (or elsewhere) via the control plane. Using such anapproach, customers are not required to rewrite their application or anyoperational tools, which lowers the barrier of entry significantly forcustomers to move data to the cloud.

A customer's data repositories can be moved to the cloud in oneembodiment by running the repositories on compute nodes of a cloudcomputing environment. Block level storage volumes, such as off-instancestorage volumes that persist independently from the life of an instance,can be used with these instances for storing the repository binary, logsand volumes, for example. Such an approach can be advantageous, as thevirtualization provides flexibility to quickly and easily scale acompute and storage resources for a repository. Further, such anapproach can provide for persistent storage in the cloud.

As known in the art, relational databases can be run in different modes,such as may include: stand-alone (non-replicated), replicated, orreplicated and partitioned. A customer typically makes the choice ofwhich mode to run for a repository based on the availability andscalability needs of the repository and the incurred total cost ofownership (TCO). Some applications and services do not require arepository to be highly available and durable, and may instead utilize astand-alone repository that is able to tolerate outages on the order ofminutes. Other applications and servers can require a repository to bealways available, and require the repository to never lose data even inthe event of a failure. In this case, the applications and servicestypically require a replicated database offering. Some users,applications, or services require a massively scalable repository thatcan partition data across multiple repositories, such that scaling canoccur beyond the compute and storage capacity of a single database. Toaddress these different use cases, an approach in accordance with oneembodiment offers at least two modes, such as stand-alone and highavailability, for each database engine. Some embodiments also allowcustomers build their own partitioning layer on top of eitherstand-alone or high availability repositories.

As mentioned, the control plane layer can take advantage, or “sit ontop,” of various basic software frameworks for performing tasks such as:implementing workflows, establishing secure communication channelsbetween the host managers of the data plane and the components of thecontrol plane, installing software on the instances of the data plane,and performing various database backup and recovery procedures.

One architecture that can be utilized advantageously relates toproviding secure communications to the host managers of the data planefrom the components of the host plane. In one embodiment, the workflowand monitoring components of the control plane are constantlycommunicating with the host managers to perform various tasks (e.g.,database maintenance and software installation), as well as to check thestatus of the various instances and/or repositories. It is important inat least some embodiments that all communications between the controlplane and the host managers occur over a secure network that preventsanyone from eavesdropping or issuing unauthorized commands to the hostmanagers.

In one embodiment, all communication channels to the host managers aresecure using a hypertext transfer protocol over a secure socket layer(SSL). Each application server hosting a host manager application can bestarted using scripts at bootup of an instance. Before starting theapplication server engine, a script can be executed that generates aself-signed certificate and installs the certificate to enable the SSLcommunication channel(s). SSL communication is used in one embodimentfor encrypting the communication channel and not for clientauthentication. Client authentication is instead achieved with apublic/private key signature embedded in each request, such that in oneembodiment all clients sign query string parameters using a private key.This signature can be validated by a custom interceptor, which can bedeployed with the application server for the host manager. Further, asecurity group (i.e., firewall rules) can be established for eachmonitored instance in the data plane such that only hosts sitting in agiven network or secure group can communicate using the host managerport. Secure information and credentials (such as private keys) can bestored in an appropriate keystore, which can provide for functionalitysuch as key management and rotation.

Another aspect that can be handled by taking advantage of variousframeworks includes the management of various security aspects, such assecure keys and user credentials. Secure information such as secure keysand passwords can be stored using a secure key management system orservice, such as is described in co-pending U.S. patent application Ser.No. 12/372,597, Feb. 17, 2009, and entitled “Encryption Key Management,”which is hereby incorporated herein by reference. Such a service cancontain at least two versions for each credential, an ‘OLD’ version andthe current version. A key can be rotated, for example, by uploading thenew value for the key to the service, such as by using the base name forthe key, and launching a workflow to propagate that key value to hostmanagers as needed. Once that workflow is terminated successfully, suchthat each appropriate host has the new credential, the old version ofthe key can be effectively replaced with the new value. If, for anycredential, the old key does not match the new key, that is anindication that a key rotation process is currently underway. A new keyrotation is not started if the old key does not match the current key,as such an approach can risk losing credentials that may still be inuse. A command line utility or similar interface can be used to pushkeys to the key management service, which can enforce this check.

A separate workflow can be defined for updating and/or rotatingcredentials such as host manager credentials on all host managerinstances. Such an approach can utilize the same inputs as a“SendCredentials” or similar API on the each host manager, such ascredential type, public key, and optional private key. In place of thecredential value, however, the workflow can will accept the name of thekey used to store that value in the key management service. The workflowcan verify that the current value is different from the new value, andif the values are the same the workflow can terminate with anappropriate error condition. For each active host managed by the controlplane, a sub-workflow can be launched that will send the newcredential(s) to the host managers on each host. Once all thesub-workflows are complete, the new credential value can replace the oldvalue. Any host that is created or reactivated while this workflow is inprogress typically will need to be given the new version of thecredential instead of the original.

A sub-workflow for sending the credentials to a host can utilize requirethe same inputs as the original workflow, as well as the host name andport for the specific host manager. The sub-workflow can call an“UpdateCredentials” or similar API on the host manager for eachspecified credential, and can call a “GetCredentials” or similar API onthe host manager to verify that the update has completed. The hostmanager in at least one embodiment will not report the new value for thecredential until everything has been done to put the credential inplace. If all host managers are not updated within an appropriate periodof time, such as two hours (where two hours is configurable and easy toupdate as required), the workflow can time out and generate an errorticket or other such indication of failure. All the root/admincredentials used by a host manager to communicate with a repository canbe stored in the Admin repository in an encrypted form. When rotatingthe keys to encrypt passwords in the Admin repository, the new keys canbe uploaded to the management service and a workflow launched tore-encrypt all appropriate user passwords using the new key. Once thatworkflow completes successfully, the new encryption key can be used. Inaddition to changing the encryption keys, this workflow can also changethe root password for each database. A workflow for rotating passwordencryption keys can verify that the new encryption key is different fromthe old encryption key, encrypt any user passwords for in-flightworkflows with the new key, and encrypt the root passwords for anyinactive repositories with the new key. Since the repository isinactive, the passwords may not be changed but can be re-encrypted withthe new keys. For each active repository, a new root password can begenerated and stored in a pending changes field (encrypted with the newkey) and a sub-workflow can be launched for updating host managercredentials with the new password. When the sub-workflow completes, thenew root password can be written back to the data repository, using thenew encryption key. The root database password will not be changed whena repository is inactive, but the workflow that reactivates therepository can change the root password once the repository is active.

An approach in accordance with one embodiment utilizes a command lineutility that wraps a remote command and enforces restrictions on howcredentials are rotated. This can guarantee that public and private keysare only rotated in tandem, and that no key is rotated if a previousrotation is still in progress. The utility can verify that the keys weresuccessfully deployed to all hosts and then launch the appropriateworkflow in the appropriate control plane environment. A command lineutility can use a syntax such as:

rotate-rds-key \   --stage One of Devo, Integ, QA, or Prod\   --typecredential_type\   --publicKey value for public key \   --privateKeyoptional for some types; value for private keySuch a utility can fail if the current key is different from the old keyon any host in the fleet, there is an error copying the new key to anyhost in the fleet, or the workflow step could not be started. In thecase where the keys are already different, there may be no changes toroll back. The utility can roll back any changes in the other cases andalert the user of cases where the roll back was unsuccessful.

In a case where a host manager instance dies during an“UpdateCredentials” or similar workflow, allowing the workflow to retrycan handle many scenarios with no special logic on the workflow side.Workflow steps other than the step that is updating credentials mayreceive “MissingCredential” or similar exceptions from which theworkflows will need to recover. In such cases, it can be acceptable tosend the new credential to the host manager. In the case of a databaseadministration password, the password change may not have taken effect.The workflow step that tries to re-send the root password (as well asany other call to Host Manager that requires the root password fromother workflows) can fail with a “MissingCredentials” or similarexception. Workflow steps other than the change password workflow canattempt to set the credential to the new password and handle anyfailures. The workflow that is actively trying to change the passwordcan first try sending the new password. If that succeeds, the workflowis done; otherwise, the workflow can retry with the old passwordfollowed by the new password. If the host manager receives an“UpdateCredentials” or similar call for the root password where the hostmanager does not currently have a password in memory, the host managercan attempt to connect to the repository using that password and fail ifthe connection cannot be established.

The rotations of various credentials and secure objects are accomplishedin many instances without any noticeable impact on the customers. As theweb service layer in many embodiments does not use any of thesecredentials as part of processing customer requests, the customer APIcalls can continue to proceed as normal. The impact of rotating acredential can vary somewhat depending on the type of credential beingrotated. For example, when a new pair of Web services keys is generated,requests signed with the original pair may start to fail. This will onlyaffect workflow steps, in general, which the workflow system can retryfor a period of time. The new Web services credentials can be uploadedquickly to the management service in order to minimize the disruption toongoing workflows. While workflows for generating and propagating newpasswords are in progress, workflow boxes can have access to both oldand new encryption keys, such that connections can be made to individualrepositories and instances while each workflow is in progress. For hostmanager authentication keys, production hosts can have retry logic inplace to retry connections with the old key if requests are beingrejected. For RPM signing keys, host managers may be unable to installsoftware for some time if a key is rotated.

As discussed above, the various embodiments can be implemented in a widevariety of operating environments, which in some cases can include oneor more user computers, computing devices, or processing devices whichcan be used to operate any of a number of applications. User or clientdevices can include any of a number of general purpose personalcomputers, such as desktop or laptop computers running a standardoperating system, as well as cellular, wireless, and handheld devicesrunning mobile software and capable of supporting a number of networkingand messaging protocols. Such a system also can include a number ofworkstations running any of a variety of commercially-availableoperating systems and other known applications for purposes such asdevelopment and database management. These devices also can includeother electronic devices, such as dummy terminals, thin-clients, gamingsystems, and other devices capable of communicating via a network.

Various aspects also can be implemented as part of at least one serviceor Web service, such as may be part of a service-oriented architecture.Services such as Web services can communicate using any appropriate typeof messaging, such as by using messages in extensible markup language(XML) format and exchanged using an appropriate protocol such as SOAP(derived from the “Simple Object Access Protocol”). Processes providedor executed by such services can be written in any appropriate language,such as the Web Services Description Language (WSDL). Using a languagesuch as WSDL allows for functionality such as the automated generationof client-side code in various SOAP frameworks.

Most embodiments utilize at least one network that would be familiar tothose skilled in the art for supporting communications using any of avariety of commercially-available protocols, such as TCP/IP, OSI, FTP,UPnP, NFS, CIFS, and AppleTalk. The network can be, for example, a localarea network, a wide-area network, a virtual private network, theInternet, an intranet, an extranet, a public switched telephone network,an infrared network, a wireless network, and any combination thereof.

In embodiments utilizing a Web server, the Web server can run any of avariety of server or mid-tier applications, including HTTP servers, FTPservers, CGI servers, data servers, Java servers, and businessapplication servers. The server(s) also may be capable of executingprograms or scripts in response requests from user devices, such as byexecuting one or more Web applications that may be implemented as one ormore scripts or programs written in any programming language, such asJava®, C, C# or C++, or any scripting language, such as Perl, Python, orTCL, as well as combinations thereof. The server(s) may also includedatabase servers, including without limitation those commerciallyavailable from Oracle®, Microsoft®, Sybase®, and IBM®.

The environment can include a variety of data stores and other memoryand storage media as discussed above. These can reside in a variety oflocations, such as on a storage medium local to (and/or resident in) oneor more of the computers or remote from any or all of the computersacross the network. In a particular set of embodiments, the informationmay reside in a storage-area network (“SAN”) familiar to those skilledin the art. Similarly, any necessary files for performing the functionsattributed to the computers, servers, or other network devices may bestored locally and/or remotely, as appropriate. Where a system includescomputerized devices, each such device can include hardware elementsthat may be electrically coupled via a bus, the elements including, forexample, at least one central processing unit (CPU), at least one inputdevice (e.g., a mouse, keyboard, controller, touch screen, or keypad),and at least one output device (e.g., a display device, printer, orspeaker). Such a system may also include one or more storage devices,such as disk drives, optical storage devices, and solid-state storagedevices such as random access memory (“RAM”) or read-only memory(“ROM”), as well as removable media devices, memory cards, flash cards,etc.

Such devices also can include a computer-readable storage media reader,a communications device (e.g., a modem, a network card (wireless orwired), an infrared communication device, etc.), and working memory asdescribed above. The computer-readable storage media reader can beconnected with, or configured to receive, a computer-readable storagemedium, representing remote, local, fixed, and/or removable storagedevices as well as storage media for temporarily and/or more permanentlycontaining, storing, transmitting, and retrieving computer-readableinformation. The system and various devices also typically will includea number of software applications, modules, services, or other elementslocated within at least one working memory device, including anoperating system and application programs, such as a client applicationor Web browser. It should be appreciated that alternate embodiments mayhave numerous variations from that described above. For example,customized hardware might also be used and/or particular elements mightbe implemented in hardware, software (including portable software, suchas applets), or both. Further, connection to other computing devicessuch as network input/output devices may be employed.

Storage media and computer readable media for containing code, orportions of code, can include any appropriate media known or used in theart, including storage media and communication media, such as but notlimited to volatile and non-volatile, removable and non-removable mediaimplemented in any method or technology for storage and/or transmissionof information such as computer readable instructions, data structures,program modules, or other data, including RAM, ROM, EEPROM, flash memoryor other memory technology, CD-ROM, digital versatile disk (DVD) orother optical storage, magnetic cassettes, magnetic tape, magnetic diskstorage or other magnetic storage devices, or any other medium which canbe used to store the desired information and which can be accessed bythe a system device. Based on the disclosure and teachings providedherein, a person of ordinary skill in the art will appreciate other waysand/or methods to implement the various embodiments.

The specification and drawings are, accordingly, to be regarded in anillustrative rather than a restrictive sense. It will, however, beevident that various modifications and changes may be made thereuntowithout departing from the broader spirit and scope of the invention asset forth in the claims.

What is claimed is:
 1. A system, comprising: at least one processor; anda memory, storing program instructions that when executed by the atleast one processor cause the at least one processor to implement a datastorage service, wherein the data storage service is configured to:receive, via a control plane interface, a request to add or update acontrol security group for a data instance in the data storage servicethat is associated with a native security group for the data instance,wherein the control plane interface provides a management interface formanaging the data instance separate from a data plane interface foraccessing data of the data instance; create or update the controlsecurity group for the data instance with a permission in the controlsecurity group that determines an access level of each member of thecontrol security group without modifying the native security group;store the permission in the control security group created or updatedaccording to the request for use in determining subsequent access to thedata instance by a member of the control security group; and controlaccess to the data instance via the data plane interface based, at leastin part, on the control security group.
 2. The system of claim 1,wherein a plurality of control security groups are associated with thedata instance, including the control security group, and wherein each ofthe control security groups have at least one of a different set ofpermissions and a different set of members.
 3. The system of claim 1,wherein to update the control security group includes at least one ofdeleting the control security group, adding at least one user, deletingat least one user, updating a password for the control security group,or modifying an access level of the control security group to the datainstance in the data environment.
 4. The system of claim 1, wherein thedata instance is a partition of a database added for the database aspart of automatically performing scaling of the database.
 5. The systemof claim 4, wherein the data storage service is configured to performthe scaling of the database responsive to an actual or predicted needfor scaling the database.
 6. The system of claim 1, wherein to create orupdate the control security group is performed while allowing access tothe data instance according to an existing security group for the datainstance.
 7. The system of claim 1, wherein the data storage service isfurther configured to communicate information for the created or updatedcontrol security group to a host manager for the data instance in thedata storage service.
 8. A method, comprising: performing by one or morecomputing devices: receiving, via a control plane interface, a requestto add or update a control security group for a data instance in a datastorage service that is associated with a native security group for thedata instance, wherein the control plane interface provides a managementinterface for managing the data instance separate from a data planeinterface for accessing data of the data instance; creating or updatethe control security group for the data instance with a permission inthe control security group that determines an access level of eachmember of the control security group without modifying the nativesecurity group; storing the permission in the control security groupcreated or updated according to the request for use in determiningsubsequent access to the data instance by a member of the controlsecurity group; and controlling access to the data instance via the dataplane interface based, at least in part, on the control security group.9. The method of claim 8, wherein a plurality of control security groupsare associated with the data instance, including the control securitygroup, and wherein each of the control security groups have at least oneof a different set of permissions and a different set of members. 10.The method of claim 8, wherein updating the control security groupincludes at least one of deleting the control security group, adding atleast one user, deleting at least one user, updating a password for thecontrol security group, or modifying an access level of the controlsecurity group to the data instance in the data environment.
 11. Themethod of claim 8, wherein the data instance is a partition of adatabase added for the database as part of automatically performingscaling of the database.
 12. The method of claim 11, wherein the datastorage service is configured to perform the scaling of the databaseresponsive to an actual or predicted need for scaling the database. 13.The method of claim 8, wherein the creating or updating the controlsecurity group is performed while allowing access to the data instanceaccording to an existing security group for the data instance.
 14. Themethod of claim 8, further comprising communicating information for thecreated or updated control security group to a host manager for the datainstance in the data storage service.
 15. One or more non-transitory,computer-readable storage media, storing program instructions that whenexecuted on or across one or more computing devices cause the one ormore computing devices to implement: receiving, via a control planeinterface, a request to add or update a control security group for adata instance in a data storage service that is associated with a nativesecurity group for the data instance, wherein the control planeinterface provides a management interface for managing the data instanceseparate from a data plane interface for accessing data of the datainstance; creating or update the control security group for the datainstance with a permission in the control security group that determinesan access level of each member of the control security group withoutmodifying the native security group; storing the permission in thecontrol security group created or updated according to the request foruse in determining subsequent access to the data instance by a member ofthe control security group; and controlling access to the data instancevia the data plane interface based, at least in part, on the controlsecurity group.
 16. The one or more non-transitory, computer-readablestorage media of claim 15, wherein a plurality of control securitygroups are associated with the data instance, including the controlsecurity group, and wherein each of the control security groups have atleast one of a different set of permissions and a different set ofmembers.
 17. The one or more non-transitory, computer-readable storagemedia of claim 15, wherein updating the control security group includesat least one of deleting the control security group, adding at least oneuser, deleting at least one user, updating a password for the controlsecurity group, or modifying an access level of the control securitygroup to the data instance in the data environment.
 18. The one or morenon-transitory, computer-readable storage media of claim 15, wherein thedata instance is a partition of a database added for the database aspart of automatically performing scaling of the database.
 19. The one ormore non-transitory, computer-readable storage media of claim 18,wherein the data storage service is configured to perform the scaling ofthe database responsive to an actual or predicted need for scaling thedatabase.
 20. The one or more non-transitory, computer-readable storagemedia of claim 15, wherein the creating or updating the control securitygroup is performed while allowing access to the data instance accordingto an existing security group for the data instance.